Linux – How to Monitor or Log Directory Permission Changes on CentOS5/RHEL5

centos5linuxpermissionsrhel5

I'm having an issue with a cPanel shared server running CentOS 5 where a few directories under the public_html folder keep getting changed to 777 from 755. The customer says they are not changing it and i'm wondering if there is a way to monitor these specific directories to find out who/what is changing the permissions.

I have looked into using auditctl and after testing it and changing the permissions myself I don't see anything in the logs so i'm not sure if i'm doing it right or if it's even possible.

Does anybody have any suggestions or ideas on how I could figure out what is changing the permissions?

Thanks!!

Best Answer

auditd works for me..

created a file named /var/www/html/1

Edited /etc/audit/audit.rules and added following and restarted auditd.

-w /var/www/html/1

Then ran following command.

# chmod 777 /var/www/html/1

In /var/log/audit/audit.log I saw following,

type=SYSCALL msg=audit(1349582090.742:414): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=17be0f0 a2=1ff a3=4000 items=1 ppid=2859 pid=3069 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1349582090.742:414):  cwd="/root"
type=PATH msg=audit(1349582090.742:414): item=0 name="/var/www/html/1" inode=6171184 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_content_t:s0

Tested in Fedora 17.

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Vhost – Permission Denied in Document Root

It appears you've created a new directory outside the standard filesystem hierarchy to hold your web documents.

When you do this, SELinux is not aware of your custom directory structure, and doesn't know that Apache (httpd) should have access to it. You will see messages in /var/log/audit/audit.log showing denials in this case.

To actually fix the problem, you need to tell SELinux that Apache can access the directory. Do this using the semanage fcontext command:

semanage fcontext -a -t httpd_sys_content_t "/volume1/web(/.*)?"

The pattern matching is done with regular expressions, so this will match /volume1/web and everything below it. The fact that it uses regular expressions also means you need to quote it as shown above.

Then relabel the files:

restorecon -r -v /volume1/web

SELinux will now permit Apache to access files in /volume1/web.

Best Answer

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

Vhost – Permission Denied in Document Root

Related Topic